cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel Query Error: Failed to resolve table

carliv
Copper Contributor

‎Apr 11 2022 04:18 AM - edited ‎Apr 11 2022 04:19 AM

‎Apr 11 2022 04:18 AM - edited ‎Apr 11 2022 04:19 AM

Sentinel Query Error: Failed to resolve table

Hey, for a couple of weeks now we can no longer query for CommonSecurityLog, just getting an error:

 

'order' operator: Failed to resolve table or column expression named 'CommonSecurityLog'

If issue persists, please open a support ticket.

 

Query:

CommonSecurityLog
| sort by TimeGenerated

 

I can run the same query in other tenants and I know it should work. Ms support have working on this for weeks, but we are getting nowhere.

 

I know the logs are beeing ingested, because incidents are triggered based on cef logs. We just cannot query them...

 

Any others seen similar errors?

Labels:
2,482 Views
0 Likes
5 Replies
Reply
5 Replies
Gary Bushey

‎Apr 11 2022 10:29 AM

‎Apr 11 2022 10:29 AM

Re: Sentinel Query Error: Failed to resolve table

Do you get the same error if you just double-click on "CommonSecurityLog" in the table listing and run that?
0 Likes
Reply
carliv

‎Apr 12 2022 06:40 AM

‎Apr 12 2022 06:40 AM

Re: Sentinel Query Error: Failed to resolve table

@Gary Bushey 

Hey, its not in the table listing

carliv_0-1649770694758.png

 

0 Likes
Reply
Gary Bushey

‎Apr 12 2022 10:48 AM

‎Apr 12 2022 10:48 AM

Re: Sentinel Query Error: Failed to resolve table

Expand the the "Microsoft Sentinel" group in the "Tables" listing to the left of where you enter your query and see if it shows up there. Double click on it and it should just paste the name into the query where you can run it and see what happens.

Typically, if the table doesn't show up like you are showing it means there is no data in it. You can open the Log settings (gear icon in the upper right of the Logs area, NOT in the Azure header bar) and there is a setting to "Show tables with no data". You can enable that to see all the tables.
0 Likes
Reply
carliv

‎Apr 13 2022 01:01 AM - edited ‎Apr 13 2022 01:02 AM

‎Apr 13 2022 01:01 AM - edited ‎Apr 13 2022 01:02 AM

Re: Sentinel Query Error: Failed to resolve table

@Gary BusheyThanks again Gary for responding! We are actually missing the Microsoft Sentinel Group. Starting to wonder if this somehow got deleted. Enabled the "show tables with no data"

 

carliv_0-1649836921745.png

 

0 Likes
Reply
Gary Bushey

‎Apr 13 2022 03:54 AM

‎Apr 13 2022 03:54 AM

Re: Sentinel Query Error: Failed to resolve table

I would open a ticket about that. There definitely should be data there somewhere.
0 Likes
Reply